System and method for detecting fraud and misuse of protected data by an authorized user using event logs

ABSTRACT

A system and method are provided for detecting fraud and/or misuse of data in a computer environment through generating a rule for monitoring at least one of transactions and activities that are associated with the data. The rule can be generated based on one or more criteria related to the at least one of the transaction and the activities that is indicative of fraud or misuse of the data. The rule can be applied to the at least one of the transactions and the activities to determine if an event has occurred, where the event occurs if the at least one criteria has been met. A bit is stored if the event has occurred and a notification can be provided if the event has occurred. A compilation of bits related to the rule can be provided.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation-in-part of U.S. patent applicationSer. No. 11/420,645, filed on May 26, 2006, which claims priority toU.S. Provisional Application Ser. No. 60/685,655, filed May 31, 2005,the entire contents of which are incorporated herein by reference.

FIELD OF THE INVENTION

The invention relates lo a system and method of detecting fraud and/ormisuse in a computer environment based on analyzing data such as in logfiles, or other similar records, including user identifier data. Moreparticularly, lie invention relates lo a system and method of detectingfraud and/or misuse in a computer environment based on analyzingapplication layer data such as in log files, including user identifierdata.

BACKGROUND OF THE INVENTION

Conventional systems for detecting fraud or misuse by users aredeficient at least because conventional systems have limited abilitiesto recognize log file formats and access the log files. This isespecially difficult when a system accesses file logs that are generatedby different applications, since each application may generate adifferent log file format.

Other problems with conventional systems include that users may haveseveral different ways of accessing company (or other similarorganizations) systems. For example, in many instances, users may useseveral different user-ids and passwords to access differentapplications or data stores of an organization. Fraud or misusedetection systems may have no way to correlate the activity of the useracross the various applications. Likewise, in some instances, evaluatingthe behavior of a user based on one application may not provide enoughinformation to discern a pattern of behavior that may be indicative offraud or misuse of a company's system or information.

Some of the prior art systems related to detecting fraud and misuse of asystem are described in U.S. Pat. No. 5,557,742 (Method and System forDetecting Intrusion Into and Misuse of a Data Processing System), U.S.Pat. No. 6,347,374 (Event Detection), U.S. Pat. No. 6,405,318 (IntrusionDetection System), and U.S. Pat. No. 6,549,208 (Information SecurityAnalysis System). Various other drawbacks exits with these systems andwith other systems known in the art.

SUMMARY OF THE INVENTION

Various aspects of the invention overcome at least some of these andother drawbacks of existing systems. According to one embodiment, asystem and method are provided for tracking a user across logs at anapplication layer of various applications that a user may access.

According to one embodiment, event log files may be accessed by amonitoring system, wherein the event tog files are associated with knownusers or users whose identity the system can derive. The event logs maybe compilations of recorded transactions and/or activities that arerecorded by applications and access layer devices. According to oneembodiment, the events contained in the event logs may be extracted bythe monitoring system. The extracted events may be normalized intorecords that are suitable for analysis, storage and/or reporting. Thenormalized events may be analyzed against fraud scenarios that aredefined for a given environment. According to one embodiment, the eventsmay be correlated to users of the systems and the event records maycontain identifiers that correlate to known users.

According to one embodiment, the normalized and correlated events may beanalyzed for user specific fraud monitoring scenarios that are modeledbased on a user's specific identity or role/relationship with anorganization.

According to one embodiment, a method of detecting fraud or misuse ofdata in a computer environment is provided. The method comprisesgenerating a rule for monitoring at least one of transactions andactivities that are associated with the data, with the rule comprisingat least one criteria related to the at least one of the transactionsand the activities that is indicative of fraud or misuse of the data;applying the rule to the at least one of the transactions and theactivities to determine if an event has occurred, with the eventoccurring if the at least one criteria has been met; storing a bit ifthe event has occurred; providing notification if the event hasoccurred; and providing a compilation of bits related to the rule.

According to one embodiment, a system for detecting fraud or misuse ofdata in a computer environment is provided. The system comprises a userinterface for selection of at least one criteria related to at least oneof transactions and activities associated with the data that isindicative of fraud or misuse of the data and for selection of aschedule for application of a rule for monitoring the at least one ofthe transactions and the activities; and a microprocessor incommunication with the user interface and having access to thetransactions and the activities of the data. The microprocessorgenerates the rule based at least in part on the at least one criteriaselected and applies the rule to the at least one of the transactionsand the activities according to the schedule selected to determine if anevent has occurred. The event occurs if the at least one criteria hasbeen met. The microprocessor stores a bit if the event has occurred andprovides notification if the event has occurred. The microprocessorgenerates a compilation of bits related to the rule.

According to one embodiment, a computer readable program embodied in anarticle of manufacture comprising computer readable program instructionsfor detecting fraud or misuse of data in a computer environment isprovided. The program comprises program instructions for causing thecomputer to provide a selection of at least one criteria related to atleast one of transactions and activities associated with the data thatis indicative of fraud or misuse of the data; program instructions forcausing the computer to generate a rule based at least in part on the atleast one criteria for monitoring the at least one of the transactionsand the activities; program instructions for causing the computer toprovide a selection for a schedule for application of the rule to the atleast one of the transactions and the activities; program instructionsfor causing the computer to apply the rule according to the scheduleselected to the at least one of the transactions and the activities todetermine if an event has occurred, with the event occurring if the atleast one criteria has been met, program instructions for causing thecomputer to store a bit if the event baa occurred; program instructionsfor causing the computer to provide notification if the event hasoccurred; and program instructions for causing the computer to provide acompilation of bits related to the rule.

The invention has numerous advantages over and avoids many drawbacks ofprior systems. These and other objects, features and advantages of theinvention will be apparent through the detailed description of theembodiments and the drawings attached thereto. It is also to beunderstood that both the foregoing general description and the followingdetailed description are exemplary and not restrictive of the scope ofthe invention. Numerous other objects, features and advantages of theinvention should now become apparent upon a reading of the followingdetailed description when taken in conjunction with the accompanyingdrawings, a brief description of which is included below.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A and 1B illustrate a flow chart of a process flow according toone embodiment of the invention.

FIG. 2 illustrates one process of correlating events to known usersaccording to one embodiment of the invention.

FIG. 3 illustrates exemplary XML definitions according to one embodimentof the invention that may be used for event parsing.

FIG. 4 illustrates a flow diagram of fraud detection according to oneembodiment of the invention.

FIG. 5 illustrates a general purpose computing system that is connectedto a network that may be used to implement one or more aspects of themonitoring system.

FIG. 6 illustrates a flow diagram of fraud or misuse detection processaccording to another embodiment of the invention.

FIG. 7 illustrates a user interface for a system that utilizes theprocess of FIG. 6.

FIG. 8 illustrates a flow chart for detection of various fraud or misusescenarios baaed upon audit logs in another embodiment of the invention.

FIG. 9 illustrates a flow chart for detection of various fraud or misusescenarios based upon audit logs and select patient data in anotherembodiment of the invention.

FIG. 10 illustrates a flow chart for detection of various fraud ormisuse scenarios based upon audit logs and select user data in anotherembodiment of the invention.

DETAILED DESCRIPTION OF THE INVENTION

FIGS. 1A and 1B together form a flow chart that illustrate some of theprocesses in one embodiment of the invention. In step 100, event logfiles (hereinafter event logs) are accessed by a monitoring system thatis provided by the invention. According to one embodiment, event logsare data stores containing events, associated with known users, that areaccessed by the system from servers and devices on a network. Accordingto an alternative embodiment of the invention, event logs may includetemporary storage devices. According to another embodiment, event logsmay be sent to the monitoring system via protocols and message sets.Whether accessed on servers or received via messages, the monitoringsystem accesses event logs associated with known users or users whoseidentity the system can derive.

According to one embodiment, the event logs may be compilations ofrecorded transactions and/or activities that are recorded byapplications and access layer devices. According to one embodiment,these may include servers and applications such VPN devices, third partyapplications, in-house applications, web servers, single sign onservers, databases, e-mail servers, print servers, fax servers, phonesystems and any other device or server that contains or generates eventinformation based on a known user's use or interaction with anorganization's information systems. The collection of data from theevent logs is scheduled by the monitoring system to be conductedperiodically or performed in real-time as the events are generated.

According to one embodiment, in operation 105, the events that arecontained in the event logs may be extracted by the monitoring systemusing, for example a parsing engine. According to one embodiment, theparsing engine may be an application that is configurable, for example,by using XML templates. According to one embodiment, the parsing enginemaintains XML templates (as an example of standard format for a knownevent) of known event logs and events. The XML templates also maycontain information that identifies correlations between events andevent logs and may further contain information on what is to beextracted from the event for subsequent analysis, storage and reporting.For example, the XML template may contain the format of the datacontained in an event log so that the data in the event log may beeasily correlated to known fields based on the XML template information.One skilled in the art would recognize that XML templates are oneembodiment of such a template end other similar templates or mappingtechniques could also be used as would be recognized by those skilled inthe art. For never previously encountered event data formats, theparsing engine may be configured via manual definition and manipulationof a default XML template to create a suitable XML template, orconfigured via a tool with a graphical user interlace to define theevent format as would be within the abilities of ore skilled in the art.

According to one embodiment, in operation 110, the extracted events maybe normalized (using, for example, the above described templates) intorecords that are suitable for analysis, storage and reporting. As partof the normalization process, an event source identifier (or event logidentifier), date/time, source network address, destination networkaddress, text associated with the event, and transaction code may beplaced into the record. Based on the source identifier, additionalinformation may be stored in the record that may not be part of astandard normalized record. For example, the record may includeinformation correlating the events to the event source identifiers. Oneskilled in the art would recognize that the fields listed here areexemplary only and those skilled in the art would recognize variousalternatives and modifications all of which are considered as a part ofthe invention.

According to one embodiment, in operation 115, the normalized events maybe analyzed against fraud scenarios that are defined for a givenorganizational environment. Examples of such analysis include monitoringfor access to a specific type of record in a healthcare, financialservice or mortgage environment, or monitoring for a volume oftransactions over a specified time period. Alerting and off-line reportsmay be generated by the system. This stage of analysis is characterizedby analyzing for scenarios that benefit from being detected rapidly. Theanalysis of fraud scenarios is discussed in greater detail furtherherein.

According to one embodiment, in operation 120, events may be correlatedto users of the organization's systems. According to one embodiment, theevent records may contain identifier(s) that correlate to known users.The listing of identifiers that identify a user may be stored oraccessible in a data repository 122, as will be discussed in furtherdetail further herein. These correlation identifiers (found in the eventrecord) may include e-mail address, userid(s), database ids, phonenumber, session id, TCP/IP address, MAC address, single sign on id, orany other id (identifier) that may correlate uniquely to users in agiven organization's environment. According to one embodiment, theseidentifiers nay be placed into the normalized record, such that thenormalized records are associated with known users. Using theidentifier, the monitoring system may correlate the normalized eventsusing a database, directory or general repository 122 of known users.According to one embodiment, events that can not be matched againstknown users (for example, users that cannot be identified based on theknown users in the repository 122) may be maintained in a separaterecords list. According to another embodiment, attempts to match therecords to known users may be performed in an offline process which maybe performed later in time or which may be initiated in near real-timeby the monitoring system sending a message to initiate the matching ofthe unknown record. According to one embodiment, the monitoring systemis capable of maintaining its own user repository 122. According toanother embodiment, the monitoring system is capable of interfacing withan identity management repository, a single sign on repository, a humanresource repository, a ERP or any other repository of known users.Alternatively, the monitoring system may use a combined approach inwhich it first cheeks it own repository 122 before interfacing the otherrepositories of user information in an organization.

According to one embodiment, in operation 125, the normalized andcorrelated events may be analyzed using, for example, rules, algorithms,database queries, or other methods, for user specific fraud monitoringscenarios that are modeled based on a user's specific identity orrole/relationship with an organization. According to one embodiment, thefraud scenarios may be modeled and stored in XML templates. For example,monitoring system may include a template that is matched to determinewhether a fraud or misuse scenario has arisen. Examples of fraudulentand misuse scenarios are discussed further herein.

According to one embodiment, in operation 132, the normalized andcorrelated events may be stored in a database 132 for subsequentanalysis and reporting. According to one embodiment, events that arenon-correlated with users may be maintained in a separate records listand attempts to match the records to known users may be performed in anoff-line process.

According lo one embodiment, in operation 135, the monitoring system mayanalyze the off-line database of normalized and correlated events 132for fraud scenarios that can not be detected in real time due to data,time, or performance limitations. The monitoring system may productalerts 137 if its off line analysis uncovers fraudulent scenarios. Thesealerts may be in the form of a report or message, which alerts aresponsible person to investigate the fraud or misuse scenario.According to another embodiment, the monitoring system may initiatepreventive action, for example, by suspending the access of a known userwhose activities have triggered the alert. According lo anotherembodiment, in operation 140, the system may produce generalizedsecurity reporting based on transactions and access by authenticatedusers. Such reports may be used to track the security of anorganization's systems or may be used for subsequent investigations,once a fraud or misuse scenario has been uncovered.

The following description provides specific embodiments for some of theoperations discussed above. While specific embodiments of the inventionare discussed herein and are illustrated in the drawings appendedhereto, the invention encompasses a broader spectrum than the specificsubject matter described and illustrated. As would be appreciated bythose skilled in the art, the embodiments described herein provide but afew examples of the broad scope of the invention. There is no intentionto limit the scope of the invention only to the embodiments describedherein.

1. Accessing Events. According to one embodiment, the monitoring systemis flexible in its ability to read events. According to one embodiment,an application layer protocol such as Simple Network Management Protocol(SNMF) may be used to facilitate the exchange of management informationbetween network devices. The monitoring system pimply needs programmaticinput (or read) access to a given event source such as a log file. Inthe ease of a log file, the log file may be accessible via a local harddrive, a network hard drive, and/or may be transferred locally via afile transfer protocol such as ftp. According to one embodiment, themonitoring system is also flexible enough to read from a local or remotedatabase via protocols, such as ODBC, in order to access relevantevents. Alternatively, a log file may be generated through thesystematic extraction from one or more databases, and the generated logfile(s) then transported via ftp to the local drive of the monitoringsystem. According to another embodiment, the monitoring system mayprovide a web service interface in order to receive events using amessage protocol, such as Simple Object Access Protocol (SOAP). Aspreviously stated, the monitoring system generally is flexible and usesprogrammatic (read) access to event sources.

2. Event Contents and Format. According to one embodiment, while themonitoring system is capable of processing any log event, it has theability to process events that were directly or indirectly generated byknown users (known, for example, to an organization) and then correlatethose events to the known users. For user associated events, one generalformal of the event data that is tracked is outlined below. Of course,it should be recognized that this format is exemplary only and thoseskilled in the art would recognize various modifications andalternatives all of which are considered as a part of the presentinvention. One general format may include: [Date and Time Stamp] [Useridentifier] [Transaction Type] [Event Text] [Request Address] [TargetAddress] [Stains Code] [Other Data]. Other formats are contemplated.

As would be recognized by one skilled in the art, the number of linesper event, field order, delimiters, field format etc. may vary betweenapplications, access servers, databases, etc. The monitoring system issufficiently configurable to handle various events. The “Useridentifiers” field may be a user-id, an e-mail address, a phone number,a database-id, a single sign on id, a TCP/IP address, a MAC address, asession id or any other identifier dial ties the event to a known user.The applicability of the identifier may be dependent on theorganization's environment. Including user-id policies, applicationenvironment, network layouts, etc. The monitoring system is sufficientlyconfigurable to allow for these variables in correlating the events toknown users.

3. Event Definitions. According to one embodiment, the monitoring,system may be flexible in its ability to process the above describedevents. According to one embodiment, the system may include a XML baseddescription language that is used to specify the variables of a givenevent type such us fields, field order, field delimiters, number oflines per event, number of characters, field type and spoken languagetype. Multiple event types in a given event source (such as a log file)can also be similarly described. According to one embodiment, thedefinition of event types may be maintained in a directory that is knownto the monitoring system so that they may be used whenever a given eventtype (which has a definition in the directory) is processed.

4. System Database Schemas. According to one embodiment, the monitoringsystem may maintain a set of schemas that correspond to the event typesbeing processed. These schemas may be used to generate database tables.For example, “http common log format” has a pre-defined schema that themonitoring system maintains and can generally re-use whenever the eventsof a “http common log format” type are processed. According to anotherembodiment, the monitoring system may provide the ability to use aschema that associates fields that are unique to a specific event typeto the storage format of an event. In other words, the system may besufficiently configurable to handle event fields that are not part of astandard formal as described above. For example, program logic based onkeywords or certain alphanumeric sequences may be used to identifyfields in an event data record and may correlate them to thestandardized storage format of the normalized records.

According to one embodiment, the monitoring system may normalize eventsby mapping as many fields available as described above to the schema andtable defined herein as well as mapping the event specific fields to thetable and field as described in the event type's specific schema.According to another embodiment, the monitoring system may generate aunique identifier for every event processed and stored in the system'sdatabase(s), which may be used for subsequent indexing, correlation andreporting. According to one embodiment, suitable indexed fields may bepart of the schema definition that allows for increased efficiency inaccessing the stored data, generating reports end in processing events.The normalized event generally may contain the same data as contained inan event record, but it may be formatted and indeed for a database.

According to the embodiment, the monitoring system may maintain tables(in a database 132) that correspond to known users and associatedidentifiers for an organization. According to one embodiment) themonitoring system may be sufficiently flexible to leverage existingidentity management systems for the maintenance of the users andidentifiers. These systems may include directories such as ActiveDirectory or Identity Management systems from vendors such as ComputerAssociates, BMC Sun, IBM, Novell. Generally, the system is flexibleenough to leverage existing identity sources of all kinds or to maintainthe identities itself in a repository.

5. Known User Correlation. According to one embodiment, the monitoringsystem may be flexible in that, depending on the processing environmentand application of the system, it may correlate events to known users inreal-time as the events are processed. According to another embodiment,the system may correlate the events to known users during off-lineprocessing. In both cases, the result is that events processed by thesystem are correlated to the known users of an organization and used forsecurity reporting, fraud detection, monitoring, etc., as disclosedherein.

According to one embodiment of the invention, FIG. 2 illustrates adiagram of a process for correlating events 210 to records of knownusers 205. The monitoring system may produce the normalized event 210 bythe general process outlined earlier herein. According to oneembodiment, the normalized event 210 may contain one or more Useridentifier(s), examples of which include: e-mail address, userid(s),database ids, phone number, TCP/IP address, MAC address, single sign onid, session id or any other id that may correlate uniquely to a usergiven an organization's environment.

According to one embodiment, the system may access a directory, databaseor other repository of users 122 and associated identifiers, examples ofwhich are shown in the records of known users 205. Therefore, as shownin FIG. 2, particular users may be associated with a wide variety ofidentifiers. Some of then identifiers may be maintained on a permanentbasis while other identifiers, such as session ids, may only bemaintained for a short duration, while a particular session of the useris current or has been recently created. Likewise, different variants ofa particular type of identifier may also be maintained, for example, ifa user has multiple e-mail addresses or multiple telephone numbers, allof these may be stared in user repository 122.

According to one embodiment of the invention, the monitoring system maycorrelate an event 210 to records of a known users 205 based on matchingidentifier(s). According to one embodiment of the invention, event 210and user record 205 may be linked together in a repository 132 thatcontains normalized and correlated events. Session ids, and similartemporary identifiers may be captured from event records and maintainedso that events 210 may be correlated to a record of known users 205 eventhough the event 210 may not have an identifier that directly links theevent 210 to the record of known users 205. Such temporary identifiersmay be maintained in the user repository 122 or as a record in someother repository which may be linked back to the known user's record inthe user repository 122. At some point in this flow, the session id (asan example of a temporary id) should have been linked to the user withinsome log event. For example, a VPN typically generates a session id inassociation with a user login event, then subsequently only “logs”session id in events associated with that user. However, the monitoringsystem may track the session id based on the initial user login event sothat activities of the user, identified only by the session id in eventlogs, can also be tracked back to the specific known user.

According to another embodiment of the invention, events for which thereare no correlating user records may be stored in the database underspecial tables that allow reporting and additional processing.

According to one embodiment of the invention, FIG. 3 provides exemplaryXML definitions 301 that may be used for event parsing.

According to one embodiment of the invention, fraud and/or misusedetection may be performed through analysis of uncorrelated events. Somefraud and misuse scenarios may be detected prior to the correlation ofan event to a user. This enables the monitoring system to monitorresources of an organization and generally detect behaviors that areconsidered high risk, before a particular user has been identified assuspicious. For example, the monitoring system may generate an alert andalert record using any of the following techniques:

-   -   When any user, or user in a particular category, performs a        certain volume of transactions or activities over a specified        time interval;    -   When any use, or user in a particular category, performs a        pre-defined sequence of transactions or activities;    -   When any user, or user in a particular category, accesses        resources outside of pre-defined hours of the day;    -   When any user, or user in a particular category, changes or        accesses a pre-identified resource such as a database field,        file, application field; and/or    -   When any user, or user in a particular category, changes or        accesses resources associated with a pre-identified entity such        as records associated with a famous person who checked into a        hospital or records that correspond to particular customers or        partner.

According to mother embodiment of the invention, fraud and/or misusedetection may be performed through analysis correlated events. Somefraud and misuse scenarios may be detected when events have beencorrelated to users. For example, the monitoring system may generate analert and generate an alert record using any of the followingtechniques:

-   -   When any user carries out activities or transactions that are        outside of pre-defined characteristics of that their        relationship to the organization (job function, supplier        relationship, customer relationship, etc.);    -   When a user carries out activities or transactions that are        inconsistent with the historically established behavior of that        user (or a category of users to which the user belongs);    -   When a pre-identified user performs pre-defined activities,        transactions or gains access to system;    -   When a user accesses resources from an address (TCP/IP, MAC        domain, other) that is inconsistent with the past accesses;        and/or    -   When a user conducts activities or transactions that link the        user to previously established suspicious users.

Examples of the Fraudulent of Business Information Systems

The fraudulent use of business information systems may take many forms,may involve variously sophisticated participants and techniques.According to one embodiment, the monitoring system may be applied tospecific forms of fraud or may be used as a more general platformagainst more sophisticated forms of fraud. According to one embodiment,the monitoring system may perform monitoring, reporting, and/or incidentresearch relating to fraud conducted in conjunction with known users (oruser identifiers) of an organization. These fraudulent scenarios may goundetected by using the current art of firewall, intrusion detection andprevention, authentication/authorization techniques. It should be notedthat these scenarios are exemplary only and one skilled in the art wouldrecognize various alternatives and modifications all of which areconsidered as a part of the invention.

1. Sale of Customer Records. For many industries, knowledge of customersrepresents lucrative information. Long-term healthcare, mortgage, highvalue financial services are all example industries in which employees,partners, suppliers and other known entities may gain access toapplications, databases, etc. via known user ids. Unscrupulous users maysell this information to competitors or other parties. According to oneembodiment of the invention, the monitoring system may track which usersare accessing which customer data to determine in advance if any misusesituation arises, for example, if a sales person is accessinginformation unrelated to any of his sales clients.

2. Unauthorized Disclosure to Protected Health Information. Within thehealthcare field, access to Protected Health Information (PHI) isprotected by law. Persons with general access to systems which haveaccess to PHI, may act in collaboration with a third party to obtain PHIabout a neighbor, a relative, a coworker, a famous person or a person ofpower in order to black-mail the victim or to view confidentialinformation that is protected by law. Medicare fraud is also commonpractice and may include a ring of conspirators that act together tosubmit false or inflated claims. This scheme may require known/trustedusers to falsify the systems within a cure provider. According to oneembodiment of the invention, the monitoring system may closely trackwhich user is accessing data about a famous patient or track whether agroup of users are accessing relevant data about one or more patients insuch a manner that the combined data accessed may be misused.

3. Changing the Ship-to Address on an Order. Organizations that processorders electronically may have the “ship-to” address changed by anexisting user, such as an employee. In this case, the employee maychange the address to a destination where the employee may capture theorder and sells the order on the open market. Typically, this act offraud goes undetected until the original purchaser refuses to pay aninvoice or complains that the order never arrived According to oneembodiment, the monitoring system may track which user's are changingthe ship-to address or if a user is clanging ship-to addresses on aregular basis. Correlating the events around the transaction lakes manyman hours using the current state of the art.

4. A Departing Employee Capturing the Customer Database. Departing salespersons are well-known for obtaining an electronic or printed copy ofthe customer database and prospect pipeline. They may use this data in anew position which, may be with a competitive firm. According to oneembodiment of the invention, the system may provide reporting andgeneral detection capabilities and may correlate application anddatabase activity to the user in question for review. According, to oneembodiment of the invention, the monitoring system may track to see if asales person is accessing a relatively large number of sales records orif a sales person is accessing the records of customers with whom thesales person has no relationship.

5. Exploiting Weak Authentication via the Corporate Extranet or VPN.Corporate Extranets and VPN's are most typically authenticated viauserid and password. As a partner to the company, a known user may haveaccess to sensitive information such in pricing, inventory levels,inventory warehouse locations, promotions, etc. If the user leaves the“partner” firm and moves to a competitive firm, the user may still usethe same userid and password to gain competitive access to the sensitiveinformation. According to one embodiment of the invention, themonitoring system may associate the userid with a particular IP address(or domain) and raise an alert if the IP address or domain is that ofcompetitor or an entity that is not a partner firm.

6. Non-repudiation for Bond Traders. Bond traders often speculativelypurchase these securities in anticipation of market movements. In theevent the markets take unexpected moves, the bond traders may deny thecharacteristics of their electronic order. According to one embodimentof the invention, characteristics and stages of an electronictransaction may be correlated to the known user (the trader) in order tonegate any such fraudulent claim by the trader.

7. Financial Insider Trading Rings. Insider trading rings may comprisemany collaborators using various electronic systems includingapplications, e-mail, phone, and/or fax. According to one embodiment ofthe invention, the monitoring system may be used to detect suspiciousbehaviors or may be used in incident investigations to identify allconspirators. A typical scenario is for one party to receive “insideinformation” from art outside source via some electronic means. Thefirst source then collaborates with others to conduct mules thatgenerate fraudulent profits based on the ill-gotten information.According to one embodiment of the invention, the monitoring system maydetect such activities at a much earlier stage than might be possibleusing conventional insider trading detection methods.

8. Web Services. Business Information systems are often published as webservices. While authentication and authorization standards areestablished, the same rogue users that plague traditional systems oftenlake advantage of a published web service. According to one embodimentof the invention, the system may provide reporting and general detectioncapabilities and may correlate application and database activity to theuser in question for review.

According to one embodiment of the invention, FIG. 4 illustratesoperations in the use of the monitoring system to detect misuse bated onthe actions of a departing employee. According to one exemplaryscenario, a sales person who is an employee of the Organization hasaccepted a comparable position with a competitive firm. The employee hasnot notified the Organization of their intent to leave and is continuingto work in a business as usual appearance. The employee has decided toaccumulate as many information resources as possible that may help withnew business at their next position.

1. Customer and Prospect Record Access. As part of their job, theEmployee has access to detailed information on the Organizationscustomer and prospects. Customer and prospect records are maintained ina CRM (Customer Relationship Management) application, which is availablethrough the Organization's VPN and Extranet. The CRM application has aprivilege management system for limiting access; to records to the“owner of the record” only. However, due to the collaborative nature ofthe sales and support process, this feature is rarely used, so that allemployees have access to all records.

Remote Data Capture. Knowing specifics on customers and prospects whoare actively engaged with the Organization could be valuable in savingtime and generating new business at their next position. In operation405, the Employee decides to access the CRM application through thecorporate VPN and to capture prospects and customers of the Organizationin operation 410. The Employee's work location is in a remote office,away from the Organization's headquarters, so the Employee iscomfortably able to take an entire morning accessing the CRM system toelectronically capture over 125 customer and prospect records. Theelectronically captured customer and prospect records are then forwardedto a personal “hotmail” e-mail account. The Employee intended to accessanother 200 records at later times.

3. Detection. According to one embodiment of the invention, themonitoring system may be configured to monitor access to CRM, VPN andInternet proxy logs. The monitoring system may be configured to alertthe security team in the event that more than 50 customer or prospectrecords are accessed in a specific (for example, four hour) time period.Thus, actions of the departing Employee may trigger a security alert inOperation 415.

4. Investigation. According to one embodiment of the invention, inoperations 420 and 425, the monitoring system may facilitate a forensicinvestigation once an alert has been generated. Once the security teamhad been alerted of a potential incident, they can run a report from themonitoring system which has captured events from the VPN, CRM andInternet proxy from the last 30 days. According to one embodiment, fromtins report, the security team may be able to determine that theemployee had remotely accessed 125 customer and prospect records throughthe corporate VPN and that the employee had also sent a series ofe-mails to a hotmail account during the same time period. According toone embodiment, this analysts may be performed using automated rules todetermine that a fraud/misuse situation has been detected.

According to one embodiment of the invention, the security team can thenforward this information or an automated alert can be forwarded to theHuman Resources department of the Organization. In operation 430, theOrganization may then be able to confront the Employee with the facts,limiting future damages and enable the Organization to work through theEmployee Separation in an informed manner. Alternatively, the monitoringsystem may automatically disable or suspend the access of the Employeeto the Organization's system, so that further damage can be preventedbefore the situation with the Employee can be further evaluated.

According to one embodiment of the invention, FIG. 5 illustrates thecomponents of a computing system connected through a general purposeelectronic network 10, such as a computer network. The computer network10 may be a virtual private network or a public network, such as theInternet. As illustrated in FIG. 5, the computer system 12 may include acentral processing unit (CPU) 14 that is connected to a system memory18. System memory 18 may include an operating system 16, a BIOS driver22, and application programs 20. In addition, computer system 12 mayinclude input devices 24, such as a mouse or a keyboard 32, and outputdevices such as a printer 30 and a display monitor 28, and a permanentdata store, such as a database 21. Computer system 12 may include acommunications interface 26, such as an Ethernet card, to communicate tothe electronic network 10. Other computer systems 13 and 13A may also beconnected to the electronic network 10, which can be implemented as aWide Area Network (WAN) or as an inter-network, such as the Internet.

According to one embodiment, computer system 12 may include a monitoringserver 50 that implements the monitoring system or its parts discussedherein, including programmed code that implements the logic and modulesdiscussed herein with respect to FIGS. 1-4. One skilled in the art wouldrecognize that such a computing system may be logically configured andprogrammed to perform the processes discussed herein with respect toFIGS. 1-4. It should be appreciated that many other similarconfigurations are within the abilities of one skilled in the art and itis contemplated that all of these configurations could be used with themethods and systems of the invention. Furthermore, it should beappreciated that it is within the abilities of one skilled in the art toprogram and configure a networked computer system to implement themethod steps of certain embodiments of the invention, discussed herein.

According to one embodiment, monitoring server 50 may include a useridentifier module 51 that provides data corresponding to computer users,a modeled data providing module 52 that provides fraud detectioninformation and misuse detection information, a data capturing modulo 53that provides application layer data and data corresponding totransactions and activities that are associated with computer users, aparting engine 54 that extracts application layer data and datacorresponding to transactions and activities that are associated withthe computer users, a normalizing engine 55 that normalizes the dataextracted by the parsing engine, a correlating module 56 that correlatesthe normalized data, an analyzing module 57 that analyzes the correlatedinformation and the modeled data, a determining module 58 thatdetermines whether the correlated information corresponds to at leastone of the fraud detection information and misuse detection information,a user specific analyzing module 59 that analyzes the correlatedinformation for user specific fraud detection information based on thecomputer users identity, a pre-defined role associated with eachcomputer user, and/or a pre-defined relationship that is defined for thecomputer users, and an alert generating module 60 that generates alerts.It should be readily appreciated that a greater number or lesser numberof modules may be used. One skilled in the art will readily appreciatethat the invention may be implemented using individual modules, a singlemodule that incorporates the features of two or more separably describedmodules, individual software programs, and/or a single software program.

According lo one embodiment of the invention, FIG. 6 illustrates a ruleengine or process 600 that enables automatic detection of incidentswhich may be related to fraud or misuse of data, such as violations ofthe Health Insurance Portability and Accountability Act (HIPAA),identity theft and medical identity theft. The rule can monitortransactions and/or activities that are associated with the data, forexample, accessing of the data by a user or non-user of the systemstoring the data. Process 600 can utilize one or more of the componentsdescribed above with respect to system 12, including the various modulesfor capturing, parsing, correlating, normalizing, analyzing anddetermining incidents that arise from the transactions and/or activitiesassociated with the data of the computer environment, including the oneor more databases having the data. The rule engine 600 is not intendedto be limited to any particular type of computer environment or data orany particular type of fraud or misuse of the data. However, the type ofdata and type of fraud or misuse of the data can be a basis, at least inpart, for one or more criteria of a rule for monitoring the transactionsand/or activities associated with the data or computer environment.

In step 605, a rule is created by the user and/or a third party, such asa consultant with particular knowledge as to fraud or misuse of theparticular type of data. The rule can include algorithms, databasequeries and/or data analysis methods to define and/or detect fraudincidents and misuse incidents. Various criteria can be used forgenerating or creating the rate. The criteria can be related to thetransactions and/or activities that are indicative of fraud or misuse ofthe data. For example, process 600 can create or generate a rule basedon one or more of the following parameters:

-   -   Timeframe criteria can be utilized, such as a date range or a        user-friendly time concept, e.g., yesterday, fast month, last        quarter.    -   Volume threshold criteria can be utilized baaed on the number of        events found. The volume threshold criteria could be used in        conjunction with the time frame criteria.    -   Field value matching criteria can be utilized which allows a        user to select an event source, and then allows a user to select        a field and a value fur that field.    -   Categorized field value matching criteria can be utilized which        allows a user to choose a category and a pattern to match.    -   Common user name matching criteria can be utilized which allows        a user to select a common user name to be searched across all        supported applications. The common user name matching criteria        can be implemented where the user data for each application is        imported.

Step 605 also allows a user to designate the criteria related to thenotice or alert that can be used when a rule is triggered. In oneembodiment, an email address of the entity to be notified of thetriggering of the rule can be designated. Process 600 can use the emailaddress of rule creator as a default for the alert. In one embodiment,the type of notice can be designated such as text to be sent in an emailso the user will know which rule was tripped and any specificinformation that can be provided.

The scope of the rule can include a single event source, such as findingmatches in a single system. For example, single event source rules canaccept pattern matches with timeframe and/or volume threshold criteria.As another example, a rule could determine when access has been gainedto a pre-determined number of medical records over a pre-determined timeinterval. Such behavior can be indicative of medical identity theft. Thescope of the rule can include multiple event source rules, such asfinding matches across multiple systems. For example, multiple eventsource rules could monitor for common user names or access to particulardata categories.

In step 610, it can be determined whether real-time incident detectionis being implemented by process 600. Real-time incident detectionprocesses the rule as each event is read and before insertion into adatabase. Process 600 can apply real-time incident detection to some,most or ail of the rules that have been created in step 600.

In step 615, any rule that is not subject to real-time incidentdetection can be scheduled for processing. The schedule can betime-based and/or can utilize other factors for determining theschedule, such as system activity. The particular schedule can berelated to the criteria of the rule. For example, a rule that monitorsaccess to a pro-determined volume of medical records over apre-determined time period may be scheduled to be proceeded at intervalsof the pre-determined time period. An example of an application that canbe used to schedule the rule is Quartz.

The present disclosure alto contemplates adjustable of dynamicscheduling of the rule. A user can designate one or more criteria forscheduling the rule and the schedule can be built and thereafterautomatically adjusted based upon the one or more criteria. For example,a time interval between processing of the same rule can be adjustedbased upon such factors as system activity or the amount of accessibledata.

In step 620, the rule can be implemented or processed. Any rule thatfinds one or more matches can create a database entry, such as in adatabase of system 12 described above with respect to FIG. 5, indicatinga bit or triggering of the rule. The bit also can cause the notice oralert to be generated and sent to the designated recipient as in step625.

Based upon the receipt of the alert or notice, a user can access system12 for additional information pertaining to the rule or plurality ofrules that has been triggered as in step 630. The additional informationcan provide the specific tune of triggering the rule, as well as allother times the rule was triggered. A specific link can be provided inthe notice or alert so that the user is brought directly to the relevantinformation pertaining to the bit when accessing system 12.

In one embodiment at the invention, FIG. 7 illustrates a user interface700 for the rules process 600. A rule management page or window 705 canindicate to a user all of the defined rules. The rate management page705 can also be used by the user for creating, modifying or deletingrules. A rule definition page or window 710 can also be used forinputting information to define a new rule. A rule scheduling managementpage or window can indicate to a user all of the schedules of the rules.The rule scheduling management page 715 can also be used to create newschedules, modify existing schedules, and/or delete schedules. A ruleschedule definition page or window 720 can be used to define theschedule for the rule to run.

A rule bit management page or window 725 can indicate to a user allrules that have had matches and the number of matches per rule. A rulebit summary screen or window 730 can indicate to a user all the entriesin the database for bits for a particular rule. The rule bit summaryscreen 730 can show the date that the rule was triggered and the actualevents that caused the rule to trigger. A into bit event screen orwindow 735 can indicate to a user the one or more cents that caused therule to trigger. Manipulation between the pages or windows and betweento formation on those pages or windows tan occur by various techniquesincluding drill-down menus and new windows. The present disclosurecontemplates use of the same window for each of the functions describedabove.

Referring to FIG. 8, the system 12 or a module thereof can be used incombination with audit logs 1100 for detection of various fraud ormisuse scenarios. For example, the audit logs 1100 can be analyzed basedupon various criteria as described above to detect employeeself-examination, family member snooping, VIP snooping, snooping onco-workers who are patients, snooping whole other family (neighbors,etc). The criteria can include a high volume of billing/contactmodifications, a high volume at downloading/printing functions,“Break-the-glass” functions, high activity levels for patients or usersin a timeframe and/a unusual login activity. One of ordinary skill inthe art can use other criteria and other combinations of criteria fordetecting fraud and misuse based upon the audit logs.

Referring to PIG. 9, the system 12 or a module thereof can be used incombination with audit logs 1100 and select patient data 1200 fordetection of various fraud or misuse scenarios. For example, the auditlogs 1100 and select patient data 1200 can be analyzed baaed uponcriteria including accessing patients who were discharged over a yearage or other specified time period or a patient who normally goes to thedoctor once a year and suddenly goes 25 times in a year or same oilierunusual number of times.

Referring to FIG. 10, the system 12 or a module thereof can be used incombination with audit logs 1100 and select user data 1300 for detectionof various fraud or misuse scenarios. For example, the audit logs 1100and select user data 1300 can be analyzed based upon criteria includingremote physician staff accessing patients that aren't under theirphysician's care, accessing patients outside of their normal work area,accessing patients outside of their normal work shift or non-payrolluser accessing payroll functions. Other criteria can also be usedincluding patients with highest activity levels in a timeframe, userswith highest activity levels in a timeframe, users with unusually longlogin sessions, users with high numbers of login failures and specificfunctions like blood type modifications.

As noted above, embodiments within the scope of the invention includeprogram products comprising computer-read able media for carrying orhaving computer-executable instructions or data structures storedthereon. Such computer-readable media can be any available media whichcan be accessed by a general purpose or special purpose computer. By wayof example, such computer-readable media can comprise RAM, ROM, EPROM,EEPROM, CD-ROM or other optical disk storage, magnetic disk storage orother magnetic storage devices, or any other medium that can be used tocarry or store desired program code in the form of computer-executableinstructions or data structures and which can be accessed by a generalpurpose or special purpose computer. When information is transferred orprovided over a network or another communications connection (eitherhardwire, wireless, or a combination of hardwired or wireless) to acomputer, the computer properly views the connection as acomputer-readable medium. Thus, any such connection may be properlytermed a computer-readable medium. Combinations of the above are also beincluded within the scope of computer-readable media.Computes-executable instructions may include, for example, instructionsand data which cause a general purpose computer, special purposecomputer, or special purpose processing device to perform a certainfunction or group of functions.

The invention is described in the general context of operational stepswhich may be implemented in one embodiment by a program productincluding computer-executable instructions, such as program code,executed by computers in networked environments. Generally, program codemay include routines, programs, objects, components, data structures,etc. that perform particular tasks or implement particular abstract datatypes. Computer-executable instructions, associated data structures, andprogram modules represent examples of program code for executing stepsof the methods disclosed herein. The particular sequence of suchexecutable instructions or associated data structures represent examplesof corresponding acts for implementing the functions described in suchsteps.

The present invention in some embodiments, may be operated in anetworked environment using logical connections to one or more remotecomputers having processors. Logical connections may include a localarea network (LAN) and a wide area network (WAN) that are presented hereby way of example and not limitation. Such networking environments arecommonplace in office-wide or enterprise-wide computer networks,intranets and the Internet. Those skilled in the art will appreciatethat such network computing environments will typically encompass manytypes of computer system configurations, including personal computers,hand-held devices, multi-processor systems, microprocessor-based orprogrammable consumer electronics, network PCs, minicomputers, mainframecomputers, sod the like. The invention may also be practiced indistributed computing environments where tasks ate performed by localand remote processing devices that are linked (either by hardwiredlinks, wireless links, or by a combination of hardwired or wirelesslinks) through a communications network. In a distributed computingenvironment, program modules may be located in both local and remotememory storage devices.

Other embodiments of the invention will be apparent to those skilled inthe art from a consideration of the specification and the practice ofthe invention disclosed herein. It is intended that the specification beconsidered as exemplary only, with the true scope and spirit of theinvention also being indicated by the disclosure herein and equivalentsthereof.

1. A method of detecting improper access of protected data by anauthorized user, the method comprising: normalizing extracted event datafrom an event log file, the event log file including informationassociated with an attempt to access protected data by the authorizeduser, the authorized user having a plurality of different associateduser identifiers, the normalizing of the event data being based on apredefined format; processing the normalized event data to determine atleast one of the plurality of different associated authorized useridentifiers is linked to the attempt to access the protected data;determining, based on the normalized event data and the at least one ofthe plurality of different associated authorized user identifiers,whether the attempt to access the protected data is fraudulent orindicative of probable misuse based on at least one rule applied by themonitoring system, the rule comprising at least one criterion related toaccesses in excess of a specific volume, accesses during apre-determined time interval, or accesses by a specific authorized user;storing normalized event data that is incapable of being associated witha known user in a list separate from normalized event data having the atleast one of the plurality of different associated authorized useridentifiers; generating a notification, based on a determination thatthe attempt to access the protected data is fraudulent or indicative ofprobable misuse; and generating additional data for the rule associatedwith the event data based on the notification, wherein the monitoringsystem continuously processes the normalized event data according to apredefined schedule, and the event log file corresponds with anapplication of the plurality of applications accessible by theauthorized user, each application of the plurality of applications has acorresponding event log file, and the event log file of each applicationof the plurality of applications has a file format of the plurality ofdifferent file formats.
 2. An apparatus comprising: a processor; and atleast one memory including computer program code for one or moreprograms, the at least one memory and the computer program codeconfigured to, with the processor, cause the apparatus to: normalizeextracted event data from an event log file, the event log fileincluding information associated with an attempt to access protecteddata by the authorized user, the authorized user having a plurality ofdifferent associated user identifiers, the normalizing of the event databeing based on a predefined format; process the normalized event data todetermine an identifier associated with the attempt to access theprotected data, the identifier being indicative of one or more of anauthorized user of a system associated with the protected data, a deviceused to attempt to access the protected data, an authorized user of thedevice used to attempt to access the protected data, a location of thedevice used to attempt to access the protected data, or a time of theattempt to access the protected data; determining, based on thenormalized event data and the identifier, whether the attempt to accessthe protected data is fraudulent or indicative of probable misuse basedon at least one rule applied by the monitoring system, the rulecomprising at least one criterion related to accesses in excess of aspecific volume, accesses during a pre-determined time interval, oraccesses by a specific user; generate a notification based on adetermination that the attempt to access the protected data isfraudulent or indicative of probable misuse; and wherein the monitoringsystem is configured to continuously process the normalized event dataand the identifier according to a predefined schedule, and the event logfile corresponds with an application of the plurality of applicationsaccessible by the authorized user, each application of the plurality ofapplications has a corresponding event log file, and the event log fileof each application of the plurality of applications has a file formatof the plurality of different file formats.
 3. A non-transitorycomputer-readable storage medium carrying computer-readable instructionswhich, when executed by a processor, cause an apparatus to: normalizeextracted event data from an event log file, the event log fileincluding information associated with an attempt to access protecteddata by the authorized user, the authorized user having a plurality ofdifferent associated user identifiers, the normalizing of the event databeing based on a predefined format; process the normalized event data todetermine an identifier associated with the attempt to access theprotected data, the identifier being indicative of one or more of anauthorized user of a system associated with the protected data, a deviceused to attempt to access the protected data, an authorized user of thedevice used to attempt to access the protected data, a location of thedevice used to attempt to access the protected data, or a time of theattempt to access the protected data; determining, based on thenormalized event data and the identifier, whether the attempt to accessthe protected data is fraudulent or indicative of probable misuse basedon at least one rule applied by the monitoring system, the rulecomprising at least one criterion related to accesses in excess of aspecific volume, accesses during a pre-determined time interval, oraccesses by a specific user; generate a notification based on adetermination that the attempt to access the protected data isfraudulent or indicative of probable misuse; and wherein the monitoringsystem is configured to continuously process the normalized event dataand the identifier according to a predefined schedule, and the event logfile corresponds with an application of the plurality of applicationsaccessible by the authorized user, each application of the plurality ofapplications has a corresponding event log file, and the event log fileof each application of the plurality of applications has a file formatof the plurality of different file formats.